Custom authentication in Apex (part 1)

Another word for authentication is acces control. Authentication is the mechanism to verify the user’s identity and provide access to a system or application based on the credentials entered by the user. Authorization, on the other hand, says something about the degree of access granted to resources.

For authentication, different methods exist in Apex. The most basic one is ‘no authentication’, which is not desirable in most cases. No authentication means ‘everyone can enter’. Not good.

The two other out-of-the-box authentication methods are Application Express and database authentication. The first is a built-in mechanism which is customizable to a certain degree. The second just uses the accounts present in the database to authenticate. Mind you, only to authenticate. Any query or DML against the database will go through the APEX_PUBLIC_USER and the schema defined in your application. So you are not logged in to the underlying database with that database user! Only in the application itself. There is another way, which uses the OID or another LDAP mechanism. This is outside the scope of this post.

In fact, the only difference between the configuration of Apex and database authentication is the keyword in the Authentication Function field. If you enter -BUILTIN-here. Apex will be using Application Express authentication. Change it to -DBACCOUNT- and Apex uses the database authentication. So the authentication functions are built-in, but the schemes are not. They’re just pre-configured, and that might be confusing.

More interesting, however, is custom authentication. What you do here, is use a database function which is called in the logon process. This function handles the authentication for you, and returns true or false. Because you define the function, you can be as flexible as you like: create your own table with application users, where you store usernames and passwords, but also the number of invalid logins, login policies, the users’ department and any other kind of information you might need. Need auditing? No problem! Hook on to an existing authentication process? Can do!

By now I hope you are pretty curious how this all works in detail. I’ll tell you all about it in Part 2 of this blog. Stay tuned!

6 Comments

I get requests for the part 2 now and then, which was never published here. Please email me if you want some sample code (which I already did for some people). email is [ atb2623 apetail psinke dot nl ].

Hi, interesting but what’s the name of the custom function? Or where can I get an example? I need to build a custom login with user, passwords etc stored in a table, now i know the process but an example would be great!

meta

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 206 other subscribers

Email Address

About

AMIS is internationally recognized for its deep technological insight in Oracle technology. This knowledge is reflected in the presentations we deliver at international conferences such as Oracle OpenWorld, Hotsos and many user conferences around the world. Our AMIS Technology Blog, the most referred Oracle technology knowledge base outside the oracle.com domain. However you arrived here, we appreciate your interest in AMIS. Link to our Google+ Profile AMIS